Unify lint CI job #7505

coderabbitai · 2026-03-25T18:53:00Z

⚠️ Potential issue | 🟡 Minor

Restore the skip:ci guard on lint if that label is still meant to suppress the whole workflow.

Every other job in this workflow still short-circuits on skip:ci, but the unified lint job no longer does. Applying that label will therefore still run this path.

♻️ Suggested fix

lint: + if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip:ci') }} name: Lint

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yaml around lines 332 - 338, The unified lint job ("name: Lint") is missing the skip:ci short-circuit used elsewhere; update the Lint job to include the same conditional guard used by other jobs so the workflow is skipped when the skip:ci label is present on a PR (i.e., add the same "if" expression/guard that checks for the skip:ci label to the Lint job), leaving the existing permissions block intact.

coderabbitai · 2026-03-25T18:53:00Z

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the workflow file find . -name "ci.yaml" -o -name "ci.yml" | head -20

Repository: RustPython/RustPython

Length of output: 92

🌐 Web query:

reviewdog/action-suggester permissions requirements documentation

💡 Result:

The reviewdog/action-suggester GitHub Action requires the following permissions in your workflow YAML: permissions: contents: read checks: write issues: write pull-requests: write These are specified in the official README to enable posting code suggestions via GitHub's multi-line suggestions feature on pull requests. See GitHub docs on Assigning permissions to jobs for details. The action supports pull_request events primarily.

Citations:

1: https://github.com/reviewdog/action-suggester

🏁 Script executed:

# Read the workflow file around the mentioned lines fd "ci.yaml" --type f --exec wc -l {} \; 2>/dev/null | head -5

Repository: RustPython/RustPython

Length of output: 47

🏁 Script executed:

# Read the workflow file to check permissions and action usage cat -n .github/workflows/ci.yaml | sed -n '320,400p'

Repository: RustPython/RustPython

Length of output: 3245

🏁 Script executed:

# Also check the workflow triggers at the top cat -n .github/workflows/ci.yaml | head -20

Repository: RustPython/RustPython

Length of output: 915

Add missing issues: write permission and condition the reviewdog/action-suggester to pull requests only.

The action's documentation specifies it requires issues: write in addition to checks: write and pull-requests: write. Since the workflow runs on push, merge_group, and workflow_dispatch events, the current if: failure() condition can invoke the action outside pull request context where it cannot function. Add the required permission and limit execution to pull request events.

Suggested fix

permissions: contents: read checks: write + issues: write pull-requests: write security-events: write # for zizmor

- name: reviewdog - if: failure() + if: failure() && github.event_name == 'pull_request' uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # 1.24.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yaml around lines 334 - 338, Add the missing permission and guard the reviewdog action to PRs only: under the workflow permissions block add "issues: write" alongside the existing "checks: write" and "pull-requests: write", and update the reviewdog/action-suggester step's if condition so it only runs in a pull request context (e.g. change the current if: failure() to an expression that also checks the event is a pull_request, like github.event_name == 'pull_request' && failure()).

-Original file line number
+Diff line change
@@ Expand Up / @@ -333,8 +333,7 @@ jobs: @@
         runs-on: ubuntu-latest
         permissions:
           contents: read
-          # checks: write
-          # issues: write
+          checks: write
           pull-requests: write
           security-events: write # for zizmor
         steps:
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unify lint CI job #7505

Uh oh!

Diff view

Diff view

Uh oh!

There are no files selected for viewing

coderabbitai Bot Mar 25, 2026

Uh oh!

coderabbitai Bot Mar 25, 2026

Uh oh!

Unify lint CI job #7505

Uh oh!

Unify lint CI job #7505

Uh oh!

Uh oh!

Diff view

Diff view

Uh oh!

There are no files selected for viewing

coderabbitai Bot Mar 25, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Mar 25, 2026

Choose a reason for hiding this comment

Uh oh!